EVerest MQTT Command Data Race Vulnerability Leading to Memory Corruption

A data race vulnerability has been identified in EVerest, an EV charging software stack, in versions prior to 2026.02.0. This vulnerability leads to undefined behavior in C++, with the potential for memory corruption. The issue arises from an MQTT message that commands the software to switch three phases while charging, causing shared contexts to be accessed concurrently without proper synchronization. This unsynchronized access can disrupt the charging control system, potentially leading to malfunctions in power management and relay switching.

Impact

Exploitation of this vulnerability can cause a data race that disrupts the state machine managing the charging process, potentially leading to incorrect handling of charging phases and control signals.

Reproduction

The vulnerability can be reproduced by sending an MQTT message to the topic 'everest_external/nodered/{connector}/cmd/switch_three_phases_while_charging' while simultaneously invoking the 'Charger::run_state_machine()' method. This can be automated with a thread that repeatedly sends the MQTT command, creating a race condition with the state machine's execution.

Remediation

Users can upgrade to EVerest version 2026.02.0, which includes a patch for this vulnerability.